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Let p = 2 mod 3 be a prime number such that 6*log2(p) « 1024 and such that 
(p) - P 2 ~ P + * ^ as a prime factor q with log 2 (^) > 160. Such p and q (or of any other 
reasonable desired size) can quickly be found by picking a prime q = 7 mod 12, by 
finding the two roots r\ and r2 of x 2 - x + 1 = 0 mod q, and by finding an integer k such 
that Yi + is 2 mod 3 and prime for / = 1 or 2. If desired, primes q can be selected until 
the smallest or the largest root is prime, or any other straightforward variant that fits 
one's needs may be used, for instance to get log 2 (#) ~ 180 and 6*log 2 (/?) « 3000, i.e., 
log 2 (p) considerably bigger than log 2 (^r). From q = 7 mod 12 it follows that q = 1 mod 3 
so that, with quadratic reciprocity, x 2 - x + 1 = 0 mod # has two roots. It also follows that 
q = 3 mod 4 which implies that those roots can be found using a single ((#+l)/4) th 
powering modulo q. 



Byge GF(p 6 ) we denote an element of order q. It is well known that g is not contained 
in any proper subfield of GF(p 6 ) (cf. [4]). In the next section it is shown that there no 
need for an actual representation of g and that arithmetic on elements of GF(p 6 ) can be 
entirely avoided. Thus, there is no need to represent elements of GF(p 6 ), for instance by 
constructing an irreducible 3 rd degree polynomial over GF(p 2 ). A representation of 
GF(p ) is needed however. This is done as follows. 



From p = 2 mod 3 it follows that p mod 3 generates GF(3)\ so that the zeros a and a p 
of the polynomial (X 3 -\)I(X -1) = X 2 +^ + 1 form an optimal normal basis for 
GF(p 2 ) over GF(p). Because a' =a' mod3 ? an element x e G¥(p 2 ) can be represented as 
x 0 a + x x a p = x 0 a + x x a 2 for xq, x\ e GF(p), so that x p = xfa p + x^a 2p = x^a + x 0 a 2 . 



Figure 5 is a flow diagram of the method for selection of "p", as shown 
in section 2.1. 
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Algorithm for the computation of T(n) given B = Given B (and B p \ we show 
how S(n+l) and S(2n) can be computed based on S(n). Computation of T(n) for arbitrary 
n then follows using the ordinary square and multiply method based on S(l) = (B p , 3, B) 
(cf. Definition 2.4.3). 



• S(n+l) can be computed from S(n) using Corollary 2.4.2.ii. This takes two 
multiplications in GF(p ). 



• S(2n) can be computed by first using Corollary 2.4.2.i to compute T(2n-2) and T(2n) 
given S(n), at the cost of two squarings in GF(p 2 ), followed by an application of 
Corollary 2.4.2.iii to compute T(2n~l) at the cost of two multiplications in GF(p 2 ). 

In both steps we use that pth powering is for free in GF(p 2 ). 



Figure 6 is a flow diagram of the arithmetic method to support key 
generation, as shown in section 2.4.4. 
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Algorithm 3.3.8 for the computation ofB. 

1 . Pick at random an element B' e GF(p 2 )*\GF(p)*; 

2. Use Algorithm 2.4.7 with B replaced by B' and T replaced by Vto compute V(p+l) 
(i.e., with B'=1{1)= V(l)); 

3. If V(p+\) e GF(p), then return to Step 1 ; 

4. Use Algorithm 2.4.7 with B replaced by B' to compute T((p 2 -p+l)/q) (i.e., with 
W = 7X1)); 

5 . If T((p 2 -p+ 1 )lq) = 3 , then return to Step 1 ; 

6. LQtB = T((p 2 -p+\)lq). 



Figure 7 is a flow diagram of the method of key generation, as shown in 
section 3.3.8. 
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4.1 Application to the Diffie-Hellman scheme 

Suppose that two parties, Alice and Bob, who both have access to the public key data p, 
q, B want to agree on a shared secret key. They can do this by performing the following 
variant of the Diffie-Hellman scheme: 

1. Alice selects at random an integer a, 1 < a < q - 2, uses Algorithm 2.4.7 to compute 
V A = T(a) e GF(p 2 ), and sends V A to Bob. 

2. Bob receives V A from Alice, selects at random an integer b, 1 < b < q - 2, uses 
Algorithm 2.4.7 to compute V B = T{b) e GF(p 2 ), and sends V B to Alice. 

3. Alice receives V B from Bob, and uses Algorithm 2.4.8 with B replaced by V B (i.e., 
with V B = T(l)) to compute K AB = T(a) e GF(p 2 ). 

4. Bob uses Algorithm 2.4.8 with B replaced by V A (i.e., with V A = T(l)) to compute 
K AB = T(b)eGF(p 2 ). 

The length of the messages exchanged in this DH variant is about one third of the length 
of the messages in other implementations of the DH scheme that achieve the same level 
of security and that are based on the difficulty of computing discrete logarithms in (a 
subgroup of) the multiplicative group of a finite field. Also, our variant of the DH scheme 
requires considerable less computation than those previously published methods (cf. 
Remark 2.4.10). 



Figure 8 is a flow diagram of the method of Diffie Hellman key 
exchange, as shown in section 4.1, using keys generated by the method 
of Figure 7. 
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4.2 Application to the ElGamal encryption scheme 

Suppose that Alice is the owner of the public key data p y q, B, and that Alice has selected 
a secret integer k and computed the corresponding public value C = T(k) using Algorithm 
2.4.7. Thus, Alice's public key data consists of (p, q, B, Q. Given Alice's public key (p, 
q, B, Q Bob can encrypt a message M intended for Alice using the following variant of^ 
ElGamal encryption: 

1. Bob selects at random an integer b, 1 < b < q - 2; 

2. Bob uses Algorithm 2.4.7 to compute V B = T(b) e GF(p 2 )] 

3. Bob uses Algorithm 2.4.7 with B replaced by C (i.e., with C = 7(1)) to compute K = 
T(b) e GF(p 2 ); 

4. Bob uses K to encrypt M, resulting in the encryption E. 

5. Bob sends (VbJZ) to Alice. 

Note that Bob may have to hash the bits representing K down to a suitable encryption key 
length. 

Upon receipt of (V B9 E), Alice decrypts the message in the following manner: 

1. Alice uses Algorithm 2.4.7 with B replaced by V B (i.e., with V B = T(l)) to compute K 
= T(k)eGF(p 2 ); 

2. Alice uses K to decrypt E resulting in M. 

The message (V By E) sent by Bob consists of the actual encryption E, whose length 
strongly depends on the length of M, and the overhead V B , whose length is independent of 
the length of M. The length of the overhead in this variant of the ElGamal encryption 
scheme is about one third of the length of the overhead in other implementations of 
message-length independent ElGamal encryption (cf. Remark 4.2.1). Also, our method is 
considerably faster (cf. Remark 2.4.10). 



Figure 9 is a flow diagram of the method of ElGamal encryption, as 
shown in section 4.2, using keys generated by the method of Figure 7. 
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Algorithm 2.5.3 for the computation of the representation of g a * y b for integers a, b 
with Ka 9 b<q, given the representation Bofg and the representations C, C+, and 
C_ ofy, y*g, and y/g, respectively. 

1 . Compute c = a /& mod q\ 

2. Given 5 use Algorithm 2.4.7 to compute T(c+\% 71(c), T(c-l) (note that the final 
applications of Corollary 2.4.2.i in Algorithm 2.4.7, if any, should be replaced by the 
usual calculation of the full S(2n)); 

3. Use Lemma 2.5.2 with T(0) = 3, T(l) = B, T(-l) = BP, T(c\ TfcH), and T(c~l) to 
compute A c ; 

4. Use Lemma 2.5.2 with T(0) = 3, T(l) = B, = B\ T(k) = C, T^c+l) = C+, and 

= C- to compute the corresponding power of A, which we denote by A k t even 
though k is unknown; 

5. Compute A c+k ; 

6. Using Lemma 2.5.1 and A c+k compute T(c + k); 

7. Use Algorithm 2.4.7 with B replaced by T(c + k) and n replaced by b to compute the 
representation T{{c + k) * b) = T(a + k* b) ofg a * 



Figure 10A is a flow diagram of the arithmetic method to support 
generating digital signatures, as shown in section 2.5.3. 
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4.3 Application to digital signature schemes 

Let, as in 4.2, Alice's public key data consists of (p, q, B, C), where C = T(k) and k is 
Alice's private key. Furthermore, assume that C+ = T(k+l) and C_ = T(k-l) are included 
in Alice's public key (cf. 2.5). We show how the Nyberg-Rueppel (NR) message 
recovery signature scheme can be implemented using our subgroup representation. 
Application of our method to other digital signature schemes goes in a similar way. To 
sign a message M containing an agreed upon type of redundancy, Alice does the 
following: 

1 . Alice selects at random an integer a, \<a<q~2\ 

2. Alice uses Algorithm 2.4.7 to compute V A - T(a) e GF(p 2 ); 

3. Alice uses Va to encrypt M 9 resulting in the encryption E. 

4. Alice computes the (integer valued) hash h ofE. 

5. Alice computes 5- = (k * h + a) modulo q in the range {0,1 , . . ., q~\ } . 

6. Alice's resulting signature on M is (E,s). 

As in 4.2 Alice may have to hash the bits representing Va down to a suitable encryption 
key length. 

To verify Alice's signature (Ejs) and to recover the signed message M, Bob does 
the following: 

1. Bob obtains Alice public key data (p, q, B, C, C+, C_). 

2. Bob checks that 0 < s < q; if not failure. 

3. Bob computes the hash h ofE (using the same hash function used by Alice). 

4. Bob replaces h by -h modulo q (i.e., in the range {0,1, . . ., #-1}). 

5. Bob uses Algorithm 2.5.3 to compute the representation Vb of g s * y h given a = s, b = 
h, B, C, C+, and C_. 

6. Bob uses Vb to decrypt E resulting in the message M 

7. If M contains the agreed upon type of redundancy, then the signature is accepted; if 
not the signature is rejected. 



Figure 10B is a flow diagram of the method of generating digital 
signatures, as shown in section 4.3., using keys generated by the method 
of Figure 7. 
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